| ID | Technique | Tactic |
|---|---|---|
| T1204.003 | Malicious Image | Execution |
Detection: Cisco Isovalent - Non Allowlisted Image Use
Description
The following analytic detects use of container images that fall outside an approved
allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and
workload identity). Adversaries commonly introduce untrusted or newly published
images to deploy tooling, establish persistence, or abuse supply‑chain trust. This
behavior may indicate image pulls from unauthorized registries, execution of
unvetted software, or a drift from established deployment baselines. Extra scrutiny
is warranted for namespaces and workloads that normally source images from restricted
registries, and for pods that suddenly begin running images outside expected
prefixes.
Maintain an environment‑specific allowlist via the macro cisco_isovalent_allowed_images
(for example, allow trusted registries/prefixes such as ImageName="gcr.io/org/",
"registry.local/", or "myco/*") and keep it updated as new baseline images are
introduced. This analytic alerts on images NOT matching the allowlist.
Search
1`cisco_isovalent_process_exec` pod_name!=""
2
3| search NOT `cisco_isovalent_allowed_images`
4
5| stats count
6 min(_time) as firstTime
7 max(_time) as lastTime
8 by pod_image_name pod_namespace pod_name process_name cluster_name
9
10| `security_content_ctime(firstTime)`
11
12| `security_content_ctime(lastTime)`
13
14| `cisco_isovalent___non_allowlisted_image_use_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Isovalent Process Exec | Other | 'cisco:isovalent:processExec' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_isovalent_allowed_images | pod_image_name IN ("docker.io/library/ubuntu:22.04","docker.io/grafana/grafana:12.0.1", "quay.io/isovalent-dev/tetragon-ci*","quay.io/isovalent/tetragon-ci*","quay.io/isovalent/hubble-export-fluentd*") |
| cisco_isovalent___non_allowlisted_image_use_filter | search * |
cisco_isovalent___non_allowlisted_image_use_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.AE
CIS 13
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
The detection is based on process execution data generated by Cisco Isovalent Runtime Security. Ensure that Isovalent Runtime Security is deployed and configured in your Kubernetes environment to emit process_exec events. Configure the Cisco Security Cloud TA to collect these logs via HTTP Event Collector (HEC) and normalize them into the Splunk Common Information Model. This integration ensures that all relevant pod, container, and process activity is captured for monitoring and detection of suspicious behavior. Create and maintain an environment‑specific macro namedcisco_isovalent_allowed_images that returns true for approved images, for example:(ImageName="gcr.io/org/app:" OR ImageName="registry.local/" OR ImageName="myco/*"). The search alerts on images NOT matching that allowlist. Tune by namespace or team as needed.
Known False Positives
New legitimate images during rollouts or blue/green deployments may appear until the allowlist is updated. Coordinate with platform/DevOps teams to synchronize allowlist changes.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Non Allowlisted image [$pod_image_name$] used by pod [$pod_name$] in the cluster [$cluster_name$]
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| pod_name | system | 45 | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:isovalent:processExec |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:isovalent:processExec |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1